Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Another WMF (Windows Major Foul-Up)

Opinion: How bad is the new WMF bug? Research suggests that the WMF format has been officially ruined.

Microsoft really has improved the security of its code over the last few years. The fact that every now and then a bug like the new WMF bug still comes along just goes to show how careless the old code is.

The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

As a result, it is surprisingly easy to get hit with this attack, even if you are being careful. Ive heard stories of experienced researchers being hit while researching the attack.

Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware.

This appears to be another one of those attacks that will become a permanent part of the Internet landscape. Rather than try to keep the format useful for its customers, Microsoft ought to think of saving the rest of the world; WMF has become poisoned and its time for customers to move on.

In fact, given how this exploit works, the situation could be worse. The vulnerability is related to a GDI32 feature whereby WMF files are allowed to register a callback function that will be executed in certain situations. Perhaps resident malicious code could traverse the system and network, infecting all WMF files it encounters by adding this callback to it.

Before I get too hysterical about this, I should point out that an effective workaround exists to block the attack, albeit at the expense of some functionality in the system. See this story for instructions, which may also be found in an advisory from Microsoft (in the Suggested Actions/Workarounds/Un-register section).

Its also true that anti-virus companies have been working hard to keep up with the attacks, although there are, as I said above, a large number of variants.

This is, perhaps, where well separate the boys from the men with respect to heuristic detection (sorry for the sexist analogy, but it works): The better products should catch more of the variants through a generic detection of the exploit, but it may be impossible to detect all of them. We shall see. I tested one of the versions yesterday against the highly regarded Panda TruPrevent, which didnt stop it.

And as for users with no anti-virus protection, they were probably infected with other malware long ago, and are destined to get this too. The most likely way for someone to get this infection is to be shown a Web page with a malicious graphic, and most people will get those through pop-ups on systems that have been infected with adware.

Im told that there is a debate going on in Microsoft over whether to disable WMF file support in Internet Explorer. The fact that theres a debate probably means that Microsoft has customers relying on this behavior, and thats worth considering. To me the answer is clear: Leave it in and disable it by default. Create group and local policies to turn it back on so that larger customers and ISVs can re-enable it easily. This behavior should be extended to any, or at least most, nonstandard formats for IE.

Im hesitant at this point to go into details until there is a patch, but my own research confirms that the potential for spreading this attack far and wide is immense and that easier vectors than Web pages exist. Microsoft has already posted the workaround, but unless a real patch is imminent, the company needs to make a registry-based workaround and publish it through the Automatic Updates system so that users are quickly protected.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.